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Abstract 

The problem of unconditional security of quantum cryptography (i.e. the security which is guaranteed by the 
fundamental laws of nature rather than by technical limitations) is one of the central points in quantum information 
theory. We propose a relativistic quantum cryptosystem and prove its unconditional security against any eaves- 
dropping attempts. Relativistic causality arguments allow to demonstrate the security of the system in a simple 
way. Since the proposed protocol does not employ collective measurements and quantum codes, the cryptosystem 
can be experimentally realized with the present state-of-art in fiber optics technologies. The proposed cryptosystem 
employs only the individual measurements and classical codes and, in addition, the key distribution problem allows 
C ■ to postpone the choice of the state encoding scheme until after the states are already received instead of choosing 

it before sending the states into the communication channel (i.e. to employ a sort of "antedate" coding). 



o 
o 

(N 



> 



00 . PACS numbers: 03.65.Bz, 42.50.Dv, 89.70.+C 

The idea of quantum cryptography was first proposed in the paper of Wiesner [1] which, because of the novelty of 
the developed approach, had not been published for a long time and only existed as a manuscript. The idea of Wiesner 
became commonly known after the publication of the paper of Bennett and Brassard [2] . An important advance was 
made in Refs. [3] and [4]. Ekert proposed a cryptosystem based on the EPR-efTect [5]. Bennett et al [4] demonstrated 

■ that any eavesdropping attempt can be reliably detected employing an arbitrary pair of non-orthogonal states. Later 
' a large number of quantum cryptosystems and their realizations were proposed [6] which are not guaranteed to be 

■ unconditionally secure. Currently there exist three proofs of the unconditional security. The proof due to Mayers [7] 
addresses the so-called BB84 protocol [2] and so does the paper of Biham et al [8] . The proof of Lo and Chau [9] deals 

■««^ ' with the protocol based on the EPR-effect [3] and, in contrast to Ref . [7] , requires the access of legitimate users to a 
] quantum computer. The fact that these proofs have not yet become commonly accepted seems to be due to the lack 
^p^' of a qualitative interpretation of their internal structure. Shor and Preskill [10] attempted to simplify these proofs 
'*r^ [ by explicitly using the quantum codes. The first relativistic quantum cryptosystem was proposed by Goldenberg and 
' Vaidman [11]. The proof of its unconditional security is outlined in Ref. [12]. In our opinion, the major obstacle in 
^ ' proving the unconditional security in Refs. [7-10] arises because the corresponding protocols are formulated as the 
O^- exchange protocols in the Hilbert state space and do not explicitly employ the causality considerations and the fact 
I that the legitimate users are spatially separated although in real life the transmission of information always implies the 
preparation of information carriers (quantum systems) , their propagation through the communication channel between 
two distant users, and, finally, performing a measurement of the quantum state of the information carriers at some 
later time. The restrictions imposed on the measurability of quantum states by special relativity were first considered 
' " ' by Landau and Peierls as early as in 1931 [13]. Further analysis was performed in the paper of Bohr and Rosenfeld 
[14]. 

Let us begin with the formulation of the protocol security criterion. Such a criterion seems to have been first 
explicitly formulated in the work of Mayers [7] . Here we shall adopt a different criterion which is more convenient for 
our proof. The protocol should satisfy the two requirements which informally can be outlined in the following way: the 
two strings of N classical bits sa{N) and sb{N), possessed by users A and B after the protocol is completed should 
be (1) identical and (2) known to nobody else. More formally, a protocol is secure if for any N > 1 and any pair of 
real numbers £i > and 62 > its parameters (the employed states, measurements, etc.) can be chosen in such a way 
that: 

1. The probability for the two strings sa{N) and s_B(iV) to differ in at least one bit is less than ei > 0, i.e. 

FvisAiN) ^ ssiN)} < £1; (1) 

in other words (in the language of mutual information between users A and B) for any e'l > it is possible to satisfy 
the inequality 

I{A;B)>N-e[. (2) 
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2. The probability for the eavesdropper E to learn the string sa{N) exceeds the probability of a simple guess, , 
(remember that error probability associated with simply guessing a particular bit is 1/2 and represents the worst 
eavesdropper strategy) by no more than £2: 

Ft{sa{N) = se{N)}<2-'' +62; (3) 

equivalently, the eavesdropper has arbitrarily small information on the strings sa{N) and sb{N) adopted as the key 
of length N by legitimate users: 

I{A;E)<S2, I{B;E)<S2. (4) 

Here the string of bits adopted as the key should not be understood the bits the original bits sent by user A: each bit 
of the key is actually a function of the original bits sent by user A which passed the appropriate tests performed by 
user B aimed at detection of eavesdropping attempts. 

If a single classical bit is to be transmitted, the user A associates with the logical states and 1 of the classical 
bit the density matrices po and pi which can be chosen with the a priori probabilities ttq and tti, ttq + tti = 1. 
Classical information is extracted by performing quantum measurements on the system described by the density 
matrix p = tto/jo + Ti'ipi- The measurements arc described by the identity resolutions in the state space, '^^Ei = I. 
Information on the classical bit sent by user A available to user B is defined as the mutual information maximized over 
all possible measurements which can be performed by user B: 

/(^;i?,po;Pi) =max^|7roTr{po£;jlog2 (^^) + ^iMpiSjlog^ (^|^) | . (5) 

A fundamental upper boundary on the available information is given by the inequality first proved by Holevo [15] (see 
also [16]): 

I{A;B,po;pi) < SyNip) - Yl 

T^iSvN{Pi), SyN{p) = — Tr{plog(p)}, (6) 

i=0,l 

where SyNip) is the von Neumann entropy [17], and the equality is reached if and only if the density matrices po and 
pi commute whit each other. For pure states the latter means that the equality in (6) is reached only for orthogonal 
states (po,i = |V'o,i)(V'o,i| and (■^ojV'i) = 0)- In that case the available information reaches the maximum possible value 
of ' ' ' 

I"'^^{A-B,po;pi) = l Eo = ro = \i^o){M, ^1 = Pi = (7) 

In other words, reliable distinguishability of the orthogonal quantum states allows to transmit the maximum possi- 
ble classical information. However, just because of their reliable distinguishability they cannot be used in quantum 
cryptography (at least in the protocols employing the Hilbert state space properties only). 

It should be emphasized that it is implicitly assumed in Eqs. (5-7) that the entire Hilbert state space is always 

available for measurements. The fact that the causality arguments arc not explicitly used should be understood as 
the possibility for user B to perform the measurement over a quantum state prepared by user A at time Ia at 
arbitrary later time (formally, even at ts = tA + 0)- The measuring operators Ei at different times are related by 
the expression Ei(tB) = U{tB — tA)EiU~^{tB — tA), where Ei is the measuring operator taken at time tA- Then 
the available information (5) does not depend on time and can be obtained immediately after the measurement is 
performed. 

The above formulation of the problem is not only unnatural, but it does not correspond to the real procedure of 
information transmission between two distant parties. As a matter of fact, the information (to be more precise, the 
physical quantum objects carrying that information) always propagate from one user to the other. Therefore, it is 
much more natural to formulate the problem explicitly taking into account the causal relations between the states 
preparation, propagation, and measurements preformed on these states as they reach the second user and become 
available to his measurement apparatus. 

Since the information is carried in the Minkowskii space-time by real physical objects, e.g. photons (rather than 
the abstract physical systems and the rays in Hilbert state space ascribed to them as frequently assumed in the non- 
rclativistic quantum information theory), the role of the instrument (superoperator) in the quantum field theory is 
played by the quantum electrodynamical <S-matrix. The latter should satisfy the unitarity and causality requirements 
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first explicitly derived by Bogolubov [18]: 



SS+=I, ^£^S+{9)^0, for x<y, (8) 

which means that the 5-niatrix does not depend on the behavior of g{x) (the function specifying how the interaction 
is switched on) at point x < y separated from y by a space-like interval. We do not know whether it is possible 
to develop a protocol based on the first principles (general structure of the iS-matrix) alone. Therefore, in the rest 
of the paper we shall adopt a simple one-dimensional model containing all the necessary restrictions imposed by the 
relativistic causality. In addition, the adopted approach is further justified by the fact that the real fiber optics quantum 
communication channels are actually quasi-one-dimensional systems. 

We shall first describe the states and measurements used in the protocol. Legitimate users control the spatially 
separated domains ^Ia and ils of size L. When the protocol is started at Ia = 0, user A prepares with equal probabilities 
one of the following two orthogonal states corresponding to or 1: 

/"OC />OC 

1^^0,1)= / dkJ^{k)a+^{k)\0) = / dfc.F(fc)|fc,eo,i) = |^,eo,i),|fc,eo,i) =a+i(fc)|0), {k,e,\k' ,6^) = S{k - k')5,,, 



(9) 

where aj]^(fc) is the operator creating a photon with momentum fc > and one of the two orthogonal polarization 
states eo and ei, J^{k) is the state amplitude in momentum representation, z,j — 0,1, fc G (0, oo). In the position 
representation the states are written as 

/oo /'OC -I 

T{x-t)\x,t)(S)\eo^i), J^(a;-t)=/ dkT{k)e'''^'"'\ {k\x,t) ^ ^=e'''^''-'\ x, t G (-oo, oo). (10) 
-oo ' Jo V27r 



The amplitude !F{x — t) depends on the difference x — t only, in agreement with the intuitive picture of a packet 
propagating in the positive direction of the x-axis with the speed of light and having the spatio-temporal shape 
described by T{x — t). 

It should be noted that the basis vectors |a;, t) are not orthogonal. Normalization of the state vector in the position 
representation can be written as [19] 

dxe'fcC— *) \ ^ sgn(fc)e-''=", (11) 

J X — t -\- a 

/OO/'OO -| ^'1 /"OO 
/ dxdx'T{x-'t)T*{x' '^t)[-5{x- x') + ;]=/ \T{x-t)\'^dx. (12) 
-ooJ— oo ^ J —oo 

The states are chosen to be almost "monochromatic" , so that the amplitude J-{t) ~ const w 1/ \/L is actually 
represented by a constant wide "plateau" (to within the tails at its ends) and 

dx\T{x-t)\^ ^1-5, 5^Q. (13) 

The decay at the ends can be chosen to be arbitrarily sharp and making 5 arbitrarily small. We shall assume that the 
latter condition is satisfied and the parameter 5 is well the smallest parameter in the problem]^. 

^In our one-dimensional model the non-localizability [20-22] can be derived from the Wiener-Paley theorem [23]. Normalization and 
square integrability conditions in the fc-representation taken together impose restrictions on the asymptotic behavior of the function T{t): 



The function T{t) cannot have a compact support with respect to r and cannot decay exponentially; however, it can be arbitrarily strongly 
localized and possess a decay rate arbitrarily close to the exponential one, e.g. 

T{t) oc exp {— aT/ln(ln...lnT)}, 

where a can be any real number. With this in mind, we shall for simplicity use the finite domains when specifying the limits of integration. 
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Preparation of the extended states when the protocol is started at time = requires the access to the entire 
domain of size L. Intuitively, one can imagine a non-local device of size L which is simultaneously switched on at 
all point of the domain. There are no any formal arguments prohibiting such a state preparation procedure at time 
tA = 0. An extended state can also be prepared by a localized (point-like) source which is switched on at = 
and produces (emits) a state propagating into the communication channel. For definiteness, it will be more convenient 
for us to assume that the state is prepared by a non-local source at time tA = and is immediately allowed at time 
t = tA + to propagate as a whole into the communication channel. 

It is important for the protocol that the length of the quantum communication channel L^h should not exceed the 
effective state extent L, Lch < L. 

At some later time ts when the entire state reaches the domain fig of size L controlled by user B, he performs a 
measurement described by the following identity resolution: 



-f 

J — < 



dx\x,tB){x,tB\(E>Ic^ =Vo{tB) +Vi{tB) +V^{tB), Po,i(*b) = l-^tB,eo,i)(J^tB,eo,i|, (14) 



/OO 
dxJ^{x-tB)\x,tB)<»\eo,i), xeflB, V±{tB) = I-Vo{tB)-Vi{tB). (15) 
-oo 

In other words, user B takes the projection on one of the two states whose amplitude resides entirely in the domain 
Qb- The probabilities of different outcomes at time tB are 

Pv{i,tB;j} = Tr{\iJi){ilJi\Vj{tB)} = Sij [ dx\J^{x-tB)\'^ = Sij, xgSIb- (16) 

J{L} 

If the eavesdropper does not delay the states, he never has access to them as a whole. Therefore, the probability 
of incorrect state identification by the eavesdropper will be different from zero even for orthogonal states. It should 
be emphasized that due to the orthogonal polarizations our states are even locally orthogonal. Formally, that means 
that if at certain moment of time the eavesdropper has only access to a spatial domain smaller than the effective 
extent of the states to be distinguished, the state identification error probability is different from zero. The total error 
probability is the sum of two terms. The first one describes the situation when the measuring apparatus used by the 
eavesdropper did not fire at all. These outcomes are inevitable if the entire states are not available as a whole. The 
error probability in that case is 1/2 (it is actually the error probability for simple guessing strategy). The second term 
in the total error corresponds to the case when the eavesdropper's apparatus fired in the spatial domain available to 
the eavesdropper. The state identification error in that case is strictly zero because of the local orthogonality of the 
states employed. Therefore, the total error is the product of the error for the case when the outcome occurred in the 
domain unavailable to the eavesdropper and the fraction of such outcomes. More formally, the total error is 

Peits) = Pe{ilE,tE) + Pe{^E,tE); (17) 

here il^; is the domain available to the eavesdropper (accordingly, Qe is the unavailable domain, i.e. the completion of 
Qe to the entire position space) and tE is the moment of time when the measurement in the domain Qe was performed. 
The total identity resolution is 

I = I{^lE,tE) + I{^E,tE), I{0,E,tE)=^ _ dx\x,tE,ei){x,tE,ei\, I{QE,tE) = ^ / dx\x,tE , ei){x,tE , Bi]. 

(18) 

Arbitrary strategy with a binary decision function for the outcomes in the domain fi^ is described by an appropriate 
identity resolution on Qe- The lowest error probability Pe{flE, tE) is found by the minimization over all possible identity 
resolutions /(ri^) [16] 

Pe{^E,tE) = min IIti{\^o){-4>o\Ei} + ^Tt{\^/ji){^i\Eo}} . (19) 



Eq^Ei I 2 2 
Eq^i is easily found and the total state identification error Pe{^E,tE) = proves to be 



£^0,1= / dx\x,tE;eo,i){x,tE;eo,i\, Pei^stE) = \N{Q.E,tE) = \ (_ dx\J^{x - tE)\^ ■ (20) 
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Accordingly, if the spatial domain flE available to the eavesdropper has a fixed size, the probability of correct identi- 
fication by the eavesdropper of the bit sent by user A is 



PoxitE) = I - Pei^EtE) - Pei^EtE) = ^ (^1 + dx\J^{x - tE)^^ (21) 

Thus the information on the bit sent by user A available to the eavesdropper depends on the size of the available 
domain and the choice of the moment when the measurement is performed. This information can be calculated using 
Eq. (5) taking into account that the measurement is described by the identity resolution {Ei} = {%^, Eq, Ei} (where 
Eq i are taken from Eq. (20)). The available information is a sum of two terms. The first term describes the part of 
the mutual information given by the outcomes in the unavailable domain (when the eavesdropper's apparatus did not 
fire at all) while the second one originates from the outcomes in the available domain Qe- 

I {A; E,Q.E,tE) = I{A- E,po,px,Q.E,tE) + I{A- E, pQ, px,Q.E,tE). (22) 
Calculation according to Eq. (5) taking into account that {Ei} = {I-^ ,Eo,Ei} and ttq = tti = 1/2 yields 



I{A;E,po,pi,QE,tE) = 0, Tr{po,iI^J = ^Tr{pI^J, p=^(po + Pi), (23) 



I{A;E,po,pi,nE,tE)= I dxlJ'ix - tE)\\ Tv{poEo} = Tt{piEi} = Tr{pEo,i} . (24) 

Therefore, the largest mutual information on the transmitted bit available to the eavesdropper depends on the moment 
of the measurement and the fraction of the state residing in the available domain. In this way the propagation of 
information in the space-time is explicitly accounted for, in contrast to the protocols formulated in the state space only. 
It is not surprising that the mutual information due to outcomes in the imavailable domain is zero since the state 
identification error probability in that case is 1/2. On the other hand, if the outcome took place in the available 
domain, the identification error is zero, so that the mutual information is proportional to the fraction of outcomes 
occurring in the available domain. To increase the mutual information, the eavesdropper should effectively extend 
the available domain (wait until a larger part of the state travel from the domain controlled by user A to the domain 
available to his measurements). 

Let the effective increase in the domain size available to the eavesdropper (compared to the length of the commu- 
nication channel which is supposed to be entirely available to him) is x- The correct identification probability for the 
eavesdropper is 



For any state delayed by time (distance) Xj the probability of passing a test for possible delay based on the outcomes 
of the measurement (14,15) performed by the legitimate user B is 



Prs{x} = Tv{\:F){:F\{Vo{tB) + ViitB))} = (26) 
dxJ'ix - tB):F*{x -te)^ < U dx\J^{x - tB)\A U dx\:F{x - tB)\A < (l - |) . 



{L-x} 

It is sufficient to consider pure delayed states only, since the linearity arguments can be applied to the case of mixed 
states. In Eq. (26) we took advantage of the Cauchy-Bunyakowskii inequality. The integration domain is restricted 
to L — X since because of the limited propagation velocity, no state delayed by time x cannot reach by the moment of 
measurement ts the extreme right boundary of domain L; remember also that J^{x — ts) = l/\/i. 

Thus the probability for the eavesdropper to know the transmitted bit and simultaneously pass the test performed 
by user B is 

Pv{UtE = UtAf\Epass test,x] = PrE{x}-Prs{x} = \U + ^^^^^) ' " f ) ' ^"""""^ ^ li^ ^ 1~) ' ^^^^ 
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Therefore, for a specified channel length the probability maximum in Eq. (27) is reached at the interval boundary at 
X = 0. If the channel length equals the effective state extent {Lch = L), this probability is unit. In that case the 
eavesdropper can reliably know each transmitted state and remain undetected. For Lch = the maximum is reached 
at X = and the probability is 1/2, which means that the eavesdropper simply guesses the transmitted state. 

Up to this moment, we have not yet taken into account the noise in communication channel. Let us demonstrate 
now that in a noisy channel the probability (27) cannot exceed the corresponding value for the ideal channel. To do 
this, we shall take advantage of the relativistic causality arguments. The state modification induced by noise can be 
described by an appropriate instrument taking into account the relativistic restrictions imposed on it. The instrument 
can generally be written as [24-27] 

T[...]=J2^k[-]S+, Sk = ^/^i^\<pk){'Pk\, ^Afc5fe5+<1, Afc>0, (28) 

k k 

Tt{T[|Vo,i)(Vo,i|]/(OB,te)} = Y.TT{\ijo,i){M{SkI{^E,te)S^)} < ^ AfcTr{ | Vo,i) (^0,1 1 (^fc) (v'fc I)} < (29) 

fe fe 

^h\{y^k\i'OA)\'^ <^h{y^k\y^k){i'0A\'4'0A) < {i^o,i\'4'o,i) = [ dx\j^{x-tA) =1 dxr{x-tE) ■ 

k k JUa JO.e 

The last equality in Eq. (29) reflects the fact that the amplitude T{x — Ia) of state 

l^i'o,!) = / dxJ^{x -tA)\x,tA) <^\eo,\) = I dxJ^{x -tE)\x,tE) <^\eQ^i) (30) 

at time Ia is completely localized in the domain x G ^a, and will not be completely localized in domain x G earlier 
than a.t tE = tA + dist{flE, ^^a)- Strictly speaking, in the field theory the problem cannot be treated as a single-particle 
one in the sense that the operator S involves the processes associated with creation of particles and absorption of other 
photons entering the channel from the environment which can be treated as a sort of noise. However, detection of these 
external photons can obviously provide no additional information on the transmitted bit. Therefore, the probability for 
the eavesdropper to know an individual transmitted bit and remain undetected by the legitimate user B does not exceed 
the corresponding probability Prmax = 1/2(1 + L^h/L) for the ideal channel. 
Let us know describe the protocol. 

• At the time moments agreed upon beforehand, user A prepares and sends into the communication channel the states 
1^0, i)) while user B performs measurements described by the identity resolution (14,15). Only the bits which pass 
the test (i.e. those which produced the outcomes in channels 'Po,i(iB)) are kept, and all the rest transmissions are 
discarded (V±(tB))- If the channel is ideal and eavesdropping is absent, each bit sent by user A is reliably identified 
by user B and contributes to the key (in contrast to the cryptosystems based on non-orthogonal states). 

• Then the noise (identification error probability) is estimated. Users A and B disclose some of the transmissions 
and obtain an estimate for the error probability p^rr counting the number of inconsistencies in their data sets. The 
disclosed bits are discarded from the transmitted string. 

• The "antedate" coding is performed. User A divides the remaining transmissions into the groups each consisting of 

k identical bits (either all zeros or all units) and announces through a public channel which transmission belongs to 
which group without disclosing the values of the bits occurring in each group. User B performs the error correction 
for each block employing a simple majority voting principle [28]. The number k is chosen sufficiently large to reduce 

k k 

the error in identification of the block-wise bits bit{i) (0 = {0,0, ...0} and 1 = {1, 1, ...1}) below « p^^r ^ Perr- This 
procedure enhances the probability of survival of the bit string finally accepted both users as the generated key. Then 

the block-wise bits are assigned their reference numbers. 

• The users form N+M parity bits Bit = J2^=i (Bbit{i) from the block-wise bits. This is achieved by user A announcing 
the reference numbers of the block-wise bits included into each parity bit. Produced in this way is a new string of 
parity bits. 

• Hashing procedure consisting of M rounds is applied to N + M parity bits Bit{j), j = 1..N -\- M. To do this, user 
A in each round chooses a random string si of length N + M — I {I = 1...M) and announces it to user B through a 

public channel. Then user A and B check the parities of the subsets of bits in their strings (Bit a and Bits) comparing 
the parities with the string si, since s; • BHa = si ■ Bits = (s; • BHa) ® {si ■ Bits) = si ■ {BitA © Bits)- If the parities 
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of the substrings coincide, one bit in the specified position is discarded form the strings Bit a and BUb- If the parities 
are different, the protocol is aborted. After M successful rounds the probability for the two remaining strings BUa 
and Bits possessed by users A and B, respectively, and each consisting of N parity bits to be different is [29] 

Pv{sa{N)^sb{N)} = 2-^. (31) 

By appropriate choice of M one can always make this probability sufficiently small. Hence the first part of the protocol 
security criterion (Eqs. (1) and (2)) is proved. 

• The probability for the eavesdropper to reliably know one of the parity bits and remain undetected is calculated in 
the following way. The total number of ways in which every parity bit can be built from the block- wise bits is [30] 

1 _ ^ nn-k ^ 1 1 

\ E = V E ) (-^-) « ^2-^ (32) 

1=0 ;=i 

The Hartley information of the set of block- wise strings is (to within the rounding error) the number of binary symbols 
required to identify the string parity which practically coincides with the string length n-k: 

nn-k ^ J 

I = log,{— Y^cos^Hj) COS {nlTT))^7j n-k, « 1, (33) 

that is almost all the bits in the string should be known. The probability of knowing every bit and passing the test is 

does not exceed (27) so that the conditional probability for the eavesdropper to know N final bits (key) transmitted 
by user A and accepted by both users as the key is (remember that (1 + Lch/L)/2 < 1) 

Pv{sa{N) = se{N)} = 2-^{l + 2 • 2-''"-'=[(l + Xeft/L)]''-" '^}^ = 2-^(1 + 2C)^, C = 2-''" '=[(l + Xeft/L)]"-" ^ (34) 

Mutual information on the string of final bits of length N possessed by user A available to the eavesdropper is 

I{A- E) = I{A) - I{A\E), I{A) = -log22-^, I{A\E) = -log2Pr{s^(7V) = se{N)}, (35) 

where I{A) is the proper information of the final string sa{N) of length N, I{A\E) is the conditional information 
on the string sa{N) available to E. Since all possible bit strings arise with the same probability and the conditional 
probability for all strings is the same, we use the information which is not yet averaged over the string distribution. 
The conditional information has a natural interpretation as the number of additional bits required for E to reliably 
recover the bit string of length N. As to the mutual information, it is interpreted as the number of bits measuring 
the information on string sa{N) of length N available to the eavesdropper [31]. Taking into account Eqs. (34,35) one 
obtains for the mutual information between A and E: 

I{A; E)=N-N + Mog2(l + 2C) « = 2N ■ 2-''"-'=[(l + Leji^)]"'"' Vln2 < 1. (36) 

For any specified A'', L^h, and L {Lch < L) this information can be made exponentially small in the parameter n ■ k. 

• Let us now show that the mutual information available to E on the string Sb{N) is also exponentially small. Mutual 
information between A and B is 

o-M 

I{A; B) = I{A) - I{A\B) = -log^i-"" + logs Px{sa{N) = sb{N)} =N + \og^{l - 2"^) ^N- (37) 

Taking advantage of the triangle inequality for the information [32] one finally obtains 

I{A\E)<I{A\B)+I{B\E), I{B\E)>N-(2N-C-2-^)/\n2, /(B; i;) < (2iV • C - 2-*^)/ln2 < 1. (38) 

Thus the second part of (Eqs. (3) and (4)) of the security criterion is also proved. 
We are grateful to Lev Vaidman for useful discussion of obtained results. 

This work was supported by the Russian Foundation for Basic Research (grant # 99-02-18127). 
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